Implementing a firewall policy is just basic survival when it comes to internet-facing servers. AWS provides Security Groups as a mandatory whitelisting firewall to limit inbound open ports on EC2. You can allow specific ports/protocols for an IP or CIDR. Within a Virtual Private Cloud (VPC) the firewall adds additional capabilities for outbound filtering.

The firewall provided by AWS is implemented outside of the instance and controlled using your AWS credentials. This ensures your basic firewall policy is in place even if the operating system in the instance is compromised.

Expect it to heat up? dress in layers

In addition to filtering by source IP or CIDR, you can open a port to another Security Group in the same AWS region. This allows you to create tiers of protection mapping to your application tiers. The Web Servers need incoming 80/443 traffic, but the rest of your tiers only need to be reached externally for operational or troublesooting purposes. This allows you to limit other access (say for example opening SSH on the application tier) to specific IPs such as your office or home.

More Granular Policy – Host-based firewalls can perform more complex tasks such as blocking countries under export control, handeling dynamic protocols that require a stateful firewall or maintaining an annotated list of known IPs for RDP/SSH

Logs – The AWS firewall does not tell you what traffic is being blocked. A host-based firewall gives you additional visibility and allows you to troubleshoot access issues

Deploying a host-based firewall also adds to your security protection in the event that your AWS credentials are compromised.

What are your favorite tips on designing a firewall policy in AWS? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.